Krebs on Security

In-depth security news and investigation

The FTC’s Internet of Things (IoT) Challenge

One of the biggest cybersecurity stories of 2016 was the surge in online attacks caused by poorly-secured “Internet of Things” (IoT) devices such as Internet routers, security cameras, digital video recorders (DVRs) and smart appliances. Many readers here have commented with ideas about how to counter vulnerabilities caused by out-of-date software in IoT devices, so why not pitch your idea for money? Who knows, you could win up to $25,000 in a new contest put on by the U.S. Federal Trade Commission (FTC).

Electronics giant LG said today at the Consumer Electronics Show (CES) that all of its appliances from now on will have Wi-Fi built in and be connected to the cloud. Image: Mashable

The FTC’s IoT Home Inspector Challenge is seeking ideas for a tool of some sort that would address the burgeoning IoT mess. The agency says it’s offering a cash prize of up to $25,000 for the best technical solution, with up to $3,000 available for as many as three honorable mention winner(s).

The FTC said an ideal tool “might be a physical device that the consumer can add to his or her home network that would check and install updates for other IoT devices on that home network, or it might be an app or cloud-based service, or a dashboard or other user interface. Contestants also have the option of adding features such as those that would address hard-coded, factory default or easy-to-guess passwords.”

According to the contest’s home page, submissions will be accepted as early as March 1, 2017 and are due May 22, 2017 at 12:00 p.m. EDT. Winners will be announced on or about July 27, 2017.

I’m glad to see the FTC engaging the public on this important issue. Gartner Inc.forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected each day, Gartner estimates. If only a fraction of these new IoT devices are shipped with sloppy security defaults — such as hard-coded accounts and passwords — the IoT problem is going to get a lot worse in the coming years.

This entry was posted on Wednesday, January 4th, 2017 at 12:56 pm and is filed under Other.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

58 comments

The first effective solutions will probably come from antivirus and/or consumer firewall vendors in the form of subscription-based patches and firewall block rules as each exploit or design flaw becomes known. Very similar to what antivirus market is already, just another vector to collect rent on.

The solution to the internet of things is to develop another internet of things device that will come with it’s own set of security vulnerabilities. Does this sound like a real solution to the problem?

Here’s a novel idea.

Any company that wants to sell a device in the U.S. has to send an example to the FTC. The FTC puts the device on the internet and offers a bounty to anyone who can crack the device and provide details about how they did it. This information is provided to the vendor so they can plug the vulnerability. Until no one cracks the device for a specific period of time the vendor can’t sell the device in the U.S.

It may be that the broadest, easiest, and fastest to implement is to have service providers limit traffic from compromised MAC address blocks to one packet per XXX seconds when requested by a service under attack. Assuming MAC addresses are assigned sequentially to hardware producers, when a webcam maker’s defective products start abusing the net, they can be excluded for as long as necessary.

By nature IOT devices should be Internet facing, blocking ports and setting rules and fkrewall can improve the security enough to get you out of the radar of the common attacks
It is misleading to think that firewall are generic solution to vulnerabilities.

A software package installed on customer computer and and a hardened (secure) wireless router are the solutions. Software package would include search tools, auto update IoT tools, auto update security settings tools, and manuals. The secure router would replace the junk insecure routers supplied by ISPs with a plug-and-play security by default part.

1st. Simple solution is to beat the bad guys to the punch. Have the various countries security authorities, run a combined IoT web crawler & change the username & password for every unsecure device they find. Thus is no longe ron defaults for the bad guys. Any local user with physical access can reset or recover the device if needs be, most never will !

2nd. Introduce worldwide (or local) sales legislation that every device should either be secure by design, or have to come with either an individual password, i.e. no default login credentials, sort of like a broadband router wifi key per device. Or be configured such that the end user MUST set a unique password before the device will function.